Risk Advisory Services
Blog

HIPAA/HITECH Compliance: Rules You Should Be Following to Stay in Compliance

In summary, the HIPAA HITECH rules cover the following areas of compliance:

Privacy Rule

Security Rule

Breach Notification Rule

Enforcement Rule

Unique Identifiers Rule

The primary focus for most organization’s required to comply with HIPAA HITECH is to ensure compliance with the privacy and security rules. The major goal of these HIPAA regulations is to ensure that any identifiable Personal Health Information (PHI) is kept secure, confidential, and only accessed by authorized personnel. These rules also apply to vendors who “could” have access to PHI.

These regulations can be met by a combination of policies, training, and technology tools and services (such as password protection and e-mail encryption) designed to secure this information.

Certain components of the security rule are not required (referred to as “addressable” in the rules). However, an organization may only choose to no implement an addressable standard if it clearly cannot do so and can document why it is unable to do so.

Overview of the New Rules (2013)

Significant changes to these rules include:

The expansion of the definition of business associates to include subcontractors that access PHI

The imposition of direct liability under the rules on business associates for compliance with certain HIPAA privacy and security rule requirements (previously, liability only rested with the covered entity)

Additional and revised provisions that covered entities and business associates must include in their business associate agreements

A deadline for all business associate agreements to comply with the new rules by September 22, 2014.

Additional disclosures in covered entities’ HIPAA privacy notices, including language that informs individuals of their right to be notified of breaches of their PHI

Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI, and a requirement to conduct a documented risk assessment in the event notification is not provided in reliance on the harm threshold

An expansion of individuals’ rights to access their PHI.

For more information on our Technology Partners HIPAA Compliance services, contact Brian Rosenfelt by leaving a message below, or by calling 440-449-6800.